Bites & Bytes Podcast
The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
Thu, 20 Jun 2024
In this special episode of the Bites and Bytes Podcast, host Kristin Demoranville is joined by two cybersecurity experts, both named Andrew Rose, for an insightful discussion on the intersection of cybersecurity and AgroFoods. Andrew Rose, from the UK, is currently the Chief Security Officer (CSO) at SoSafe and formerly the CISO at Proofpoint, CSO at Mastercard UK, and CISO at the National Air Traffic Services (NATS). The other, Andrew Rose, is from the US; he’s an Ag Futurist and a cybersecurity advisor specializing in agricultural production, including advising for BIO-ISAC. Learn about the critical role of resiliency in the agri-supply chain, the impact of human error on cybersecurity, and the need for education and awareness to prevent breaches. Explore how cybersecurity integrates into food safety culture and the importance of building security into agri-tech products. The discussion also covers emerging cybersecurity trends, the role of government agencies like the FBI, and the global implications of food security. Tune in for expert insights, practical advice, and a deeper understanding of the unique challenges and opportunities in agri-food cybersecurity and this critical infrastructure. Also, Happy Pride! 🏳️🌈 ----------------------------------------------------- Episode Key Highlights: (16:03 - 16:55) National Seminars on Agricultural Security Threats (19:19 - 20:24) Lessons for Food Industry Cybersecurity (22:50 - 23:54) Importance of Data Integrity and Availability (27:51 - 29:22) Social Engineering (34:03 - 35:46) Food Security and Existential Risks (39:13 - 40:17) Impact of Global Food Economy (41:29 - 42:09) Impact of Ukraine on Grain Prices (49:34 - 51:11) Rising Nation-State Threats in Cybersecurity (53:13 - 54:22) Importance of Product Security in Agro-Tech (59:46 - 01:00:55) Financial Impact of Ransomware Attack ----------------------------------------------------- Notes from the Show: Scott’s Pizza Tour – NYC Secret Pizza – Las Vegas Reporting Agricultural Incidents (Ic3.gov) ----------------------------------------------------- 🏳️🌈👊⚡️ Pride Merch 🏳️🌈👊⚡️ Bare Knuckles & Brass Tacks Podcast BKBT Pride Merch Shop Learn more about Out in Tech Learn more about the Scholarship for LGBTQ+ students This BKBT podcast episode discusses these causes and the Pride Merch Shop. ---------------------------------------------------- Bites and Bytes Podcast Info: Website: Explore all our episodes, articles, and more on our official website. Visit Now Merch Shop: Show your support with some awesome Bites and Bytes gear! 🧢👕 Shop Now Blog: Stay updated with the latest insights and stories from the world of cybersecurity in the food industry. Read Our Blog Audience Survey: We value your feedback! Help us make the podcast even better. Take the Survey Schedule a Call with Kristin: Want to share your thoughts? Schedule a meeting with Kristin! Schedule Now
Welcome to another episode of the Bites and Bytes podcast. I'm your host, Kristen M. Moranville, and today I have a really special treat for you. Joining me are two incredible cybersecurity experts, and yes, they are both named Andrew Rose. Thankfully, their accents will make it easy to tell them apart.
I will let them tell you about their backgrounds, but let's just say both Andrews are well-known in their respective cybersecurity domains. I am honored to have them both on the show. We had a fascinating discussion about cybersecurity and agri-food and had a lot of laughs. This will be a longer than normal episode. Trust me, this conversation is well worth your time.
So grab your favorite snack or beverage, enjoy your workout, commute, project, housework, or simply drive safely. Let's get started. Well, hi, everyone. Welcome. I have the privilege of speaking to two, you heard that correctly, two Andrew Roses. I'm honored to have them both here. They both have a wealth of experience.
So I'm going to quickly jump into our favorite omen of the podcast, favorite food and favorite food memory. Andrew UK, as I'm going to call you, you can start.
Hi there. Thanks for inviting me on the podcast. Lovely to be here. Favorite food is probably lasagna. I do love a good lasagna. Oh my gosh. And I'm not sure if this is weird or not, but I do love it with fries. Like in lasagna or on the side? No, on the side. Okay.
I was like, oh, wait a minute.
so you dip it in the marinara kind of thing yeah a little bit a little bit of that definitely it's really good but i do love lasagna is my favorite thing probably shocking that uh someone from the uk likes chips on the side of the lasagna just gonna put that out there because every time i ask for a side at dinner in my house it's always chips the answer is chips all right
It really is. Well, coming from the UK, absolutely it is. So that's my favorite food. I think my favorite food memory actually relates to what used to be my favorite food, which was pizza. I spent many years as a complete pizza nerd because we used to live in New York. And whilst we lived there, we went on a pizza tour. And this pizza tour still happens.
So I recommend it to anybody who goes to New York, Scott's Pizza Tour. I am not sponsored by Scott, but he did do the tour. And it's incredible. He takes you around all of the old pizzerias in New York and he explains the history behind New York pizza and the science behind it. How about the pH of the water, how that affects the pizza and all sorts of stuff. And it's thrilling and amazing.
And he takes you around and talks about all the different types of ovens and you try a slice in all these different pizzerias so you can compare and contrast. It's an amazing experience. I absolutely loved it.
My wife did say that she'd never actually seen me have such an immediate bromance as I did with Scott when I first met him, because I was just like on his shoulder all the time learning about pizza and hanging out with him. But it was really good. So if anyone goes to New York, I'd definitely recommend that. That's my probably favorite food memory.
I'll try to find it for the listeners and put it in the show notes. I've never heard of a pizza tour before. Like that, that is interesting. And the fact that it goes into the science of it, that's incredible. It's amazing. Wow. I mean, I think we could probably geek out on pizza then because that's great. Like that's fantastic. Thank you for that. And other Andrew.
Thank you for having me here. This is a huge honor. I can't believe that I was mistaken for someone else, but it certainly has aided me here at this point in my life. And then for the two of you, one of the best pizza joints I've ever eaten at is in Vegas. It's called Secret Pizza. And there are no signs. You have to be able to find this place.
I've been there. I've been there. Yes. I heard about it. It is weirdest down this little corridor. Uh-huh. Exactly. Yeah.
Yeah. I've been there. And you only go there after 12 o'clock, you know, like 2 a.m. There's a line out the door, but it's an amazing place. Anyway, my favorite food and the favorite food memory are both linked together. And my favorite food is lobster.
I've often thought if I had done something really, really bad and I was locked in a cell and have one last meal to eat on this planet, it would be a lobster and not just a lobster. It'd be boiled in the seawater from Bar Harbor, Maine. When I was a kid, I spent several weeks on a boat, sailboat off.
coast of Maine and we pulled into Bar Harbor and you get a $5 lobster and you boil in the water of the bay there with some clams and other things, a little bit of seaweed. And it's that, that, that right there is a memory in itself.
I was born in Maine. So like you just touched my heart. Like that is, that is it. And actually the episode before that I just reported, it's probably been released now. We were talking about lobster rolls. So like, this is great. Like I, I love that people are into lobster. I'm like, yes. And of course I'm kind of like growing out of it now because I've had it so much. So I completely,
nostalgic moment you just described is how childhood was and you know we've reached that point in our lives where they will crack the shell for us and take the meat out so we don't have to do all that work you know the way it was very manual back in the day when i was a kid
Yeah. Actually, you know the trick with that is since, you know, I also live close to Maryland, so blue crabs are very popular here. I don't crack shellfish. I just, I think I got attacked by like the antenna too many times when I was a kid and I just kind of like am over it. It's just gross. It's a giant bug.
If you sit next to people and you ask them what their favorite part of the lobster or the crab is, they will literally crack it for you and hand it to you. So you don't have to do anything.
you just walk around the table and be like tell me your favorite part and then they'll give it to you i've tried this multiple times it works so i don't have to touch anything this sounds really weird i mean it is it is weird but it's delicious it really is and you have to have a lot of butter for the lobster like drawn butter with lemon yeah absolutely yeah Yeah, you have to definitely do that.
And it's amazing. I actually love steamer clams, fried steamer clams with shoestring onion rings or fried scallops and like little really crispy fries. Like those are like, I crave those daily almost. Can't get them unless you're like on the beach because you could have like a little bit of grit of sand in it because that's just like the way it should be in like a little gritty sand in it.
Amazing.
It's like childhood all over again, thinking about it. Oh my goodness.
Well, I do have a bonus answer to that one too, because I was on the fence. The other thing is I love scones. Two years ago, I spent six months working from the road just to see if I could pull it off, working little tertiary towns. And when I go into one of these small towns across the US, the first thing I try to do is find a coffee shop, a local coffee shop and get a cup of coffee.
And if they have a scone, I buy a scone. And then I listened like a thief to the conversations around me to get a sense of the vibe of the town. I checked the corkboard out to see what kind of things are being advertised and up there. And after six months of eating scones, I got back and said, boy, there's a few of those I miss. I don't even know how to make a scone.
And so I went on YouTube and started teaching myself how to make scones. And for the last about 18 months, I've been baking scones and people love them. People more than my friends and family love them. So I don't take that sort of feedback with any kind of any weight or measurement of how good they are. But it appears that my scones are a hit. So I'm becoming known for my scones as well.
So are you doing the triangle scones or are you doing the circle scones?
well you know yeah those are fairly pedestrian shapes um i uh i also like to go to uh antique malls and i look for the cookie cutters that are deep enough so i've got any shape you can imagine i like the hearts a lot because i figure if you make a heart-shaped skull and if someone has a broken heart you give it that two of them and they always feel better about themselves but i've got cats and cows and flowers and stars like any shape you can imagine so no not not those mundane pedestrian scones you might find in the stores
That's great. And the biggest question, though, and I know Andrew will agree with from the UK side, is it cream before jam or is it jam before cream? Because this could be a make or break conversation right here.
Well, you know how our friends are over the ocean there. They have words for things that are inappropriate. So what they might call a scone, we might call a biscuit, you know, and one might have an egg in it. The other one might not have an egg in it. And I'm not that pure. I just want to go with taste best. You know, this is my palate I'm concerned with.
So I'm going to I'm not going to touch that one. Yeah.
Well, I think there's a definite answer to that, frankly. From an English perspective, it's obviously cream first, jam second. And what we all steer clear of is the tea situation, whether you actually put the milk in first or the milk in later, because that's equally contentious, but also has a very clear answer from my perspective. It's first. Oh, I just didn't know. Oh, good grease.
Yeah, point of play here. Me and the viewer obviously raised in the southern part of the United States where sweet tea is the beverage of choice.
And there it is. I couldn't get behind it.
It was too sweet. Well, the thing there is, do you put the sugar in when the water is hot or cold?
I don't know. I never made it. So that's a, I have no idea.
Put it in when it's hot. Otherwise it gets cloudy.
Okay. That's good to know if I ever made it. No, I actually, I actually just like iced tea black. I don't really put anything in it. So, and most of the time it's herbal tea here, except for when the in-laws come over, they usually bring like a huge bag of tea over from the UK, even though we could buy it here, but it's cheaper. So that's what we get. Of course, a cup
of tea is a very complicated conversation anyways because everybody has their tea a certain way and if you say i'll take a cup of tea well to me what kind of tea do you want because i have like 16 varieties at least and it's just a normal cup of tea what does that mean like So it's always just black tea whenever Tetleys or whenever I've got kicking around the house.
Just makes me laugh because it's always like this part of like a weird conversation, always with tea.
If you're asking a British person about tea and they just say a cup of tea, they mean English breakfast tea. Yeah. Which is the same sort of standard hot black tea, which is Tetleys and PG tips and things like that. If they're going off piste and going for something a bit more sophisticated, like an Earl Grey, they will specify.
So yeah, just English breakfast, just default to that and you'll be fine.
Okay. I will try to do that. Usually I just throw it in, but you know, my partner likes it very weak and I like just leave tea bags in because I don't care. It's strong and it's fine. But he's like literally like two seconds in dip and it's like, you want a whisper of tea. That's what you should say, a whisper of tea.
Yeah.
There's a lot of oddness. I still am learning terms. I'll be honest. I don't, I don't say like, like kitchen roll or kitchen paper. I was so confused about that for a long time. It's paper towels. Like I didn't understand. I kept being like, why do you, what do you want? I don't, we don't have any paper in the kitchen. What are you talking about?
I'm getting better because now I translate for all my U.S. friends. I feel like that is now my service to the community as I translate British to American quite often or vice versa because sometimes we say weird things that you guys don't get either, which is fine, which is probably most of the time.
You just make the whole language up. It's a bit sad, really, what you've done to it, frankly, but hey.
Well, the nice thing is that you can literally insult somebody and they won't even know it.
Oh, absolutely. It's a very British thing. It's like a skill. Yeah. We can write emails like you wouldn't believe. You'll just get to the end of it and go, was that nice or was that really mean? I can't tell. I don't know what they were trying to say. Yeah.
Because it was written in a British accent. So it was just like, oh, it's okay. It's fine. But I love the scone making for you. Like, I think that's great. And the one question I have about that, though, the big one is, what is your favorite type, like kind, like flavor-wise that you like?
That is a good question, and I love them all. They're sweet scones and they're savory scones. My personal favorite is a candied ginger butterscotch scone with a light green sugar glaze on top. That is my favorite sweet, but for savory, I go way off the charts. I like an anchovy sun-dried tomato caper with a pickle cream on top.
So you get that sort of punch, that little, that tart bite, and it moves into more of a salty, um, unami flavor, but you get a full rich flavor. And I might throw some smoked cheddar, smoked horseradish cheddar cheese in there too, just to give it an extra oomph.
But it's certainly a confusion in the palate, but all of a sudden the flavors dance together and then you're left with this wonderful taste there. But it's, you know, I'm, I'm a, I'm kind of a backyard chef, so it's an acquired taste at times.
No, I think that's great. I mean, nobody can see our faces, but both of us were like, what? You're doing too much. It was what I was thinking. You're doing too much. But it sounds like it would be good ultimately at the end of it. So I was hoping you'd say something simple like cinnamon chip.
way beyond that. You take it to a whole new artistry level. It's incredible.
So last night I baked mangoed candy ginger caramel scones with a simple sugar glaze and then dark cherries dried and dark, really dark chocolate with a sugar glaze as well. Heart shaped for an event tomorrow.
Wow. That sounds amazing.
I'm going to have to report back if people liked it. Wow. Andrew, I will hold you a plate and then Kristen, I'll find a way to get you some.
Well, we don't live that far away from each other, so I'm sure we can figure it out. We could have a meeting just to exchange scones. I will not be baking them. I'm not about that measurement life, so I can't do, I don't bake at all. I would rather just throw the ingredients in a pan and make it magical for dinner rather than measure. It was time for measurements.
I don't, I'm going to push back. You're a problem solver. I bet if you put your mind to it, you'd be the best scone baker we've seen.
I'd have to rival my mother. That's a hard one because she's an amazing baker too. So like, and my little sister who makes like macaroons and all these other crazy cakes. And I don't know, maybe I just don't want to compete with my female relatives on that front either to get into a bit of therapy there. I don't know.
So now that we've talked for quite a bit, which is awesome, let's do some quick introductions. Andrew, in the UK, I will have you start.
Okay, so I'm currently the chief security officer at SoSafe, which is a German company which is involved in human risk management. So we talk about changing the behavior and the culture in an organization to really sort of minimize the human attack surface. But I've actually been
employed in many organizations before this so i was the cso of two very large global law firms i was the cso of uk air traffic control cso of mastercard in the uk and also was a forester analyst for about five years in the middle uh quite a quite an extensive experience of security in large enterprises and critical national infrastructure which is what sort of brought me to this topic that we're going to talk about today really because i think this this topic area is very underserved and under talked about which is great that we're talking about it today
Agreed. Thank you. And I love that you've done the airports and the air traffic control situation. Not many people can say that. So I love that you have a uniqueness in your own niche, whereas Andrew and I also have that uniqueness with the food. Andrew, go ahead.
All right. Well, thank you. Appreciate that. I am the other Andrew Rose, the US version of Andrew Rose. And fun fact, there is another Andrew Rose who does cyber, but we'll eventually get him into one of these podcasts. Yeah. So, I am an accidental cybersecurity advisor, expert, what have you.
I was working for a large bank that does agricultural financing and had just come off of helping stand up the Cybersecurity Association of Maryland as a favor to a friend of mine. It's not that I have any coding or cyber background, it's I know how to start nonprofits and write bylaws and put fiduciary responsibilities and governance in there and bringing sponsors.
And we hired an executive director, got an office location, got programming up and running. At about that time, I went over to the bank and I inherited a large team that was geographically dispersed. And I figured a great way to do a team building exercise was do a tabletop exercise.
And since I'd just come off cybersecurity, I figured, well, let's just do a nuclear internal disgruntled tech employee that bricks our machines, exfiltrates data, you know, the whole nine yards. And we ran through that exercise. And I won't really go into what our findings were, but it gave us 18 months of work to patch. over a few holes that were uncovered.
One of the issues going into this, and for anyone out there listening, is we had assumed we had a playbook. We had assumed that whatever the crisis was, there was protocols and procedures in place to follow through that. And that was the pushback I got when I was pulling everyone together. And I said, well, we'll do this from muscle memory then.
We'll run through it just to understand what this looks like. And then we obviously identified some gaps and blind spots. What that that gave me a lot of pause. And I reached out to a friend of mine who was very high up in the U.S. Cybersecurity Command and said, hey, I'm in agriculture now and I just found something I'm a little little concerned.
Would you would you look around and just let me know what you see? And he got back to me about a month later with an OSSHIT type of email saying, hey, this is not good. And, you know, I'm just doing this as a volunteer. I'm a regular guys, but I know a lot of people. And at the same time, and I can share this publicly because there is a YouTube video.
One of our clients is a very large poultry integrator on the Eastern Shore, and their contract growers were getting hit by a variety of business email compromises and rerouting transaction numbers. And it was in the tens of millions of dollars were the hits. And no one knew what was going on. No one knew what to do. And I thought I'd be a superhero and I called the FBI.
and that they would do a YouTube video, a case counterpoint, here's what you do if this happens. And that was my first experience with dealing with the public facing information from the FBI. There is a process and procedure, it's very difficult, it's like threading a needle to get them to say anything in public, but there is a way to do that.
I put on a series of national seminars to bring awareness to the ag community that, hey, you are a target. This is a threat. We need to be aware. And I did those starting in 2016, 2017. And then probably by 2019, we'd done several very large conferences. And the time demands for me as a volunteer were so great that I needed to focus on what I was best at.
So I migrated from being everything to everybody to focusing on the emerging threats. And now and I do want to give a shout out to the FBI. They've been they've been supporting me the entire time. Whenever I need something, it's there. Whatever information needs to be shared with an audience, a speaker, what have you.
They've stood up and to their credit, they always apologize afterwards saying we could have done more, you know, and I'm always like, well, at least you're there for me. I do appreciate that. But one of their concerns is when they're called is after the incidents occurred. So the right of boom and the lack of preparation by many companies to what that looks like.
Not only are you dealing with the emotion of it, why was I attacked? Why was it me? You know, why was I singled out? Now you're going to make payroll with no records. Now you've got to send invoices out with no records. Now you've got to receive invoices with no access to your financial systems.
So I've been working on small, private-focused meetings with groups in the agricultural industry about, okay, it's not if and when, it's when and again. So let's just start planning for these things and getting ahead of these attacks. And that's my cybersecurity contribution.
What I also do, though, to keep my lights on, I work on projects that benefit our species three generations from now, primarily in agricultural production. And a lot of that's technology transfer from other countries that will then benefit soft landing. It'll benefit the U.S., but it'll also benefit them.
And then I also work as a fractional chief of staff for a variety of different companies across different categories, mostly in the agriculture sector, some in the IT sector. So that's a long-winded way of saying me. I'm in Baltimore, Maryland. So if anyone's out here in the area, I'd love to treat you to a crab cake and a cup of coffee.
And you're also harvesting or cultivating your own mealworms right now. Did you tell me that?
Yeah. Well, to get really hyper-focused in the agriculture production side, I specialize in novel plants and proteins. And that's going to be a micro or macroalgae, seaweed or a microalgae. It's going to be duckweed. It's going to be insects, space agriculture, recirculating aquaculture systems. And I do have an affinity for insects in particular. And of those, I have an
Real affinity for mealworms. I love the protein emulsification. They're cold blooded, like the five to nine harvest a year. And they're fine. They're two dimensional. They don't hop. They don't fly. They don't complain. They don't make noises. They just eat their carrots and apples and whole wheat and just do their mealworm thing.
Live their best mealworm life. That's amazing. Thank you both for your introductions.
Hey, everyone. This is Kristen, your host from Bites and Bites podcast. It's Pride Month. And at Bites and Bites podcast, we celebrate diversity because without diversity, how can we have a secure global food supply chain?
I want to give a shout out to my friends over at Bare Knuckles and Brass Tacks podcast, which is hosted by two Georges, George K and George A. Bare Knuckles and Brass Tacks is a cybersecurity podcast that tackles the vendor customer divide with real conversations and practical solutions. Since its pride month, Bare Knuckles and Brass Tacks is raising money for LGBTQ plus organizations.
This month, the profits from their Pride merch sales will be donated to Out in Tech and a scholarship fund for LGBTQ plus cybersecurity students. The Pride Bare Knuckles and Brass Tacks logo t-shirt celebrates every color under the rainbow in cybersecurity.
And the profits from this shirt go to Out in Tech, which is a nonprofit dedicated to uniting the LGBTQ plus tech community by creating opportunities for members to advance their careers, grow their networks, and leverage tech for social change. You can learn more about Out in Tech at outintech.com.
There is also a special t-shirt that features a message that's handwritten by co-host George K's daughter to support transgendered youth. Proceeds from this shirt will fund a scholarship for LGBTQ plus undergrad and graduate students pursuing cybersecurity education. You can learn more about the scholarship in the show notes.
Check out their Pride merch store and get your swag on with one of these shirts at their merch website, bkbtpodcast.shop. I've already ordered mine. Join us and Bare Knuckles and Brass Tacks in supporting Pride this month. All the information and links can be found in the show notes. Thanks for listening and happy Pride.
So let's jump into some questions that I have because everybody's probably like, well, why did you bring these two Andrews together other than it's fun because their names are the same?
There is purpose actually, because I want to have a conversation more about normal, normal, I say in quotations, practices in cybersecurity, but also let's swing in at how it relates to food and both of them have industrial backgrounds. So it works out just for the audience understanding.
Andrew, in the UK side, based on your extensive experience in industrial cybersecurity, AKA the airports and beyond, What are the key lessons that the food industry can learn to improve their cybersecurity posture, in your opinion? Oh, gosh.
Gosh, there's so many. There's so many lessons. That's the problem. When you look at the control stack that a CISO would look at for an enterprise, there's generally about 130 controls. And however you break it down, it turns out to be about 130 controls, whether it's ISO 27,000 standard or the NIST standards. So there's always a lot to think about.
But I think, oh gosh, there's lots of aspects to think about. One is the evolution that I think we've seen in the industry moving from IT security, where you're just protecting the box to stop malware getting on it, to information security about, okay, now we've got to protect the value of our information. and the integrity of our information.
Then moving on to cybersecurity, where it's actually, okay, well, this is going to affect our service and our service is going to be down. So we were built to deliver our value proposition. Where organizations are moving now is into cyber resilience, where actually if they have a cyber breach, it doesn't disrupt what they do.
And there's certain aspects, there's a chicken sort of growing company that I've been working with as well a little while ago. And they were talking very much about how the need for resilience is paramount to them. They need to keep their systems running. They need to keep the whole process running through. Otherwise, things get pretty horrible.
You can't back chickens up and keep them in the same pen longer than they need to be. So I think certainly focusing on that resilience journey, which many big enterprises are going through too, is a real big focus that agri-food should think about. And I think the post-child for doing this incorrectly is the colonial pipeline system. American guys will all know about that one.
But they had their billing system get some ransomware on it. And because the billing system was infected, they shut down their operational capability. And that's entirely the wrong thing to have to do. So I think in agri-foods, the people there need to realize that the service needs to continue.
They need to get sort of, they need to be able to continue to produce and continue to move the produce around and get it to the right place. So they need to focus very much on resilience or rather, sorry, resilience rather than recovery. You can't be down for two weeks and then recover it and go, well, fine. That's two weeks of produce loss. Goodness only knows the impact that could have.
How you get around that is, well, I think you just have to look at all the normal controls that people focus on these days. So how am I going to prevent ransomware? How am I going to keep my network segregated and safe from different external threats? And if we do get a breach internally, how can I make sure that other aspects of my network are segregated away from that?
And finally, I think probably the key thing to think about is, how most of these attacks start, which is very much the space I'm passionate about right now, which is the human side of the risk. It's really interesting to look at enterprises and what they do is they seem to spend about 90% of their security budgets on technology.
And yet when you look at the statistics, about 90% of the threat comes from people who will click on links, who will open attachments, who will do silly things, send information to the wrong place. So actually there's a real imbalance there. And normal large enterprises are still dealing with that themselves.
So I think as the agri-food industry starts to really get in and tackle cybersecurity, they need to think about this education and awareness to change the behavior of the people who are involved in the whole end-to-end process. Because that's where many of those vulnerabilities and those issues will begin, but they can be cut off with some good education and training.
Absolutely. And I think this is why cybersecurity has to be included in food safety culture, because the more you tie it to the safety of the food, the more people will care about it and the more they'll, you know, be careful, I guess is what I'll say.
It's interesting to sort of have the analogy with air traffic, because in air traffic control, I didn't care about confidentiality one jot. And we all talk about cybersecurity being the triad of confidentiality, integrity, and availability. I didn't care about confidentiality. If we lost our HR database, sure, that was a rough day, but hey, it could be so much worse.
We had to focus entirely on integrity and availability of data so the air traffic controllers could do their job. And if that dot was on the screen, we knew that was exactly where that dot was. And they'd rather have no dot than an incorrect dot. So integrity was vital and availability was vital. I think those aspects actually are true with the agri-foods as well.
The confidentiality is not that much of a big deal, but the integrity of the data to prove the provenance of their foodstuffs and the availability of their systems to process it and bring it through from farm to fork is really key for them so that they're not just a normal cybersecurity journey. It's slightly different. It's much more critical national infrastructure thinking.
It's much more about safety level thinking.
I'm glad you said that because that's very true, especially even just in straight up manufacturing. It's availability that's the king, if you will. That's so important. And I was thinking about since we were both at RSA recently, I was thinking about the marketing information I saw walking around. I don't know if you happen to notice some of it as well. I'm sure you couldn't not actually.
But there was one particular vendor who said something like, we eliminate all operational technology risks. And I was like, so you take the people out? Like, that was my immediate response in my head. And it was funny because I ran into another host of another podcast who interviewed me on the floor and I said it to him and he was like, wait, what?
And I was like, yeah, you got to take people away from it. If you keep people in there, you can't eliminate all risks. There's no way. And you just said that. It's crazy to think that people think that you can do the X, Y, Z, da, da, da. But if you don't train your staff or they don't understand why it's important and where they should care, that leads to more problems. And it's so frustrating.
Pipeline is a great example, but I was thinking of JBS. That also showed that you have to have important disaster recovery. This is continuity planning. You can't retract beef once it's hit the trailer. There's no food or pasture necessarily for them to go back to the farm. And it might have been struck pretty far depending on where they were coming from.
Now you get stressed out meat that's defecating on itself. Yeah. And there's all these other additional food safety issues that are happening because of it. That was such a devastating situation that has such long-term effects. And God knows the payouts were rough. They were paying so much, not only for the ransom, but the cleanup, if you will.
And they don't, this is the problem is, oh, it's not going to happen to us. But if it does, we'll be fine. How can you assure, how is that assured? Like, I don't know. That's frustrating.
It is, and I think that chicken company I was talking about, they actually went through all of their processes and they worked it out that if they had no computers at all, they could still do it. They went back to the paper process. How would we do this with no technology? How could we know what we were doing? And I think that's a very wise thing to do.
We've seen other organizations do that when they had ransomware. There was Norsk Hydro, an aluminum or aluminum, sorry, smelting factory. And they again had to go back to manual processes because their computer systems wiped out by ransomware. So we do need to think all the way through how could we keep our services going when everything is gone and certain industries really need to do that.
I think agri-foods is one of them.
I completely agree. Andrew from the U.S., do you want to weigh in since you're on the front lines of agrotech?
Indeed. Two years ago in Fargo, we ran a tabletop around resiliency in a big part of the agri-supply chain. And to Andrew's point, resiliency, not only in an organization, but in an entire supply chain is the critical piece because you've got competitors that if one goes down, it's either wolves on the carcass or everyone bands together and makes sure that our citizens get fed livestock gets fed.
We ran through the what if. What if the computers go down? What if there is an attack here? And Andrew, to your point, paper was the way that things are going to move around. The issue was there was no more paper because everything had been transferred to digital. And the people that knew how to use paper have either all retired or almost are retiring.
so there was the human element of how do we move things as well as the the physical how do we record things as they're moving down the chain here we are going to meet in fargo on june 11th and part of that conversation is two years later where are we you know has have things been solved is there more communication between competitors we are bringing in the association heads as well so it's not just the companies it's the we won't call it oversight but the group that keeps them together and i think sometimes it's better to have them say hey this entire sector needs to function the way it should
And the other piece, Andrew, I'm going to talk about is the integrity of data. You mentioned that part there, too. This is public. Back when COVID hit and we were racing to get vaccines done, there was a cybersecurity incident with the calibration of the thermometers. And much of the vaccine was lost because of that attack. And it was an integrity of data.
The data readout looked good, but it wasn't. And it was done in such a way, in such a minor way, that would have been missed. And that's just another issue that, you know, Andrew, going back to the integrity of data is...
Critical critic is otherwise, you know, if you're reading your screen or you're going to print a report, everything looks good and you can't figure out why things aren't matching up or correlated. And the last piece, too, and this is what I'm really excited about, is the social engineering piece of it.
You know, again, we spend so much money on blue team, red team, pen testing and all this stuff, which, yeah, you should patch your stuff. Things should be updated. There should be somebody watching over all your credentials. But social engineering, especially AI and enable social engineering is it's here.
I mean, we were warning about it 18 months ago, but now it's here full force and we are not prepared. I mean, the tsunami came in and we were still sitting on the beach with our lawn chairs.
That's a really graphic description. Wow. I think the thing that's really interesting about this is the it's such a distinctive difference between the enterprise side and the industrial farm, a whole bit manufacturing that people keep trying to twist it to be like enterprise.
So when they talk about it in groups, like especially, and I'm sure you've run into this too, where you're trying to explain what you've dealt with in your career and what you've seen on the industrial side to someone who's only been in enterprise, they kind of look at you funny, like, but why would you do it that way?
And my response back is a risk in your environment isn't necessarily a risk in my environment and vice versa. It's the people that are always going to be the biggest risk, full stop. Whether it's their safety or they're doing something or didn't mean to do something or something happened. Most of the time, it's the people that are causing the problem. I would say probably 90% of the time.
Technology doesn't wake up one day and decide to give itself a virus. You know what I mean? That's not something that it does. If it starts doing that, then we're done. We've got bigger problems. The days of it's become sentient, it's here. No, not yet.
What I think is frustrating from a cybersecurity point of view is I feel like I have to evangelize so much into the cybersecurity world to let them know that this is a problem, that agriculture and the food industry need help. And not because it needs help, but because it's the right thing to do too, because we all eat, you know, we need to care.
And the fact that it wasn't added to the 16 critical infrastructures or 15 at the time until 2020 completely pisses me off. Like- We've been eating and harvesting and doing this for the dawn of time. And here we are not realizing that we need to care about it because oil and gas go first. Automotive goes first. You know, water is not even really a consideration at times.
We have to rope that into the food industry because it's so prevalent in not only the production of food, but creating food. And I'm actually at a place where I'm simmeringly angry at all times about it now. We need to do something. Like we need to keep talking about it. All I do is evangelize. Like, hi, we need to care about cybersecurity and food. The food teams get it.
The food scientists, the quality people, the protection people, they understand. The defense teams definitely get it because we can help them fight food fraud and obviously all the drug issues that are happening in the food industry. But it's just like, why aren't cybersecurity people click? Where's the light bulb moment? Why aren't they understanding this? Is it because it's too hard?
Because it's too, I don't know, food is a very emotional thing, you know, because we have that connection to it. I just don't understand. That's where I get a little annoyed. And this is just me sharing a general annoyance.
I think on that one, I think a lot of the cybersecurity people out there, most of them are very focused on that CIA triad and confidentiality is everything. And integrity and availability is probably IT operations problem. So they come at this from the wrong angle straight away. And I also had to retrain people who joined my team to sort of refocus them on the key things.
So I think they come at it from the wrong place. And I think there's a perception across society that agriculture is not technology based. You know, it's probably the one thing that's not technical. They see it as, oh, there's wheat in the field. Okay, that's not going to get, you know, malware. It's not going to get ransomware.
But actually, it's all the process of the technology that puts the wheat in the field, brings the wheat out of the field, and gets it to your store. Absolutely, that's technology-based. So I think there's just a perception that this is different, that this isn't at risk from those cybersecurity issues.
And with the lack of cybersecurity people focusing on the right aspects of it, I think that puts us into this really poor position, which is, again, why I got involved, because I... perceive this is the most critical national infrastructure. And yet it just gets so underserved in terms of commentary and governance and oversight and support generally.
Yeah, I know enough about the UK side in terms of the food industry and the agriculture side to know that it's a very regulation driven. There's almost like a police for everything, which is I don't think it's really a bad thing because it's keeping you honest. Right. But to the point where the farming, let's be real. And I think
Andrew might be able to weigh in on this too, isn't exactly like a money-making role. You can make some money in it, but you basically break even, or you pray to God you break even by the time the season's over. It's so much stuff that they have to deal with. The weather, which is constantly an issue, obviously. The soil, because it's being destroyed. Bugs, because bugs are a problem.
And then human factors. people being jerks around the fields, doing other things. And then now people are saying, oh, you know, they got all these subsidiaries and all these things, but that doesn't necessarily help with what they need to deal with on the back end. And farmers are very concerned about their data. They're very concerned about where it's going.
As the consumer becomes more educated, they're going to want more and more tracking. Like what plant did this particular soybean come from? It might come down to that. And that's an incredible amount of pressure that's put onto the farm. That's more stuff that needs to be dealt with. It's actually been stated in multiple reports that the food industry is a low hanging fruit.
The food industry just needs support and help from all of us. That's really what it needs. And I hope that as people are listening to this, they start to ask questions critically, even when you're watching a TV show like Clarkson's Farm, because there's quite a bit of tech on that. He's got a tractor he drives around with a joystick. Something like that.
Or when you watch like a show about food factories or something like that, do you understand the food safety ramifications of having that crew in there or what that looks like or how they produce? Do you have questions about, you know, follow the network cable? I want people to ask those critical questions. And I have that come to me quite often. How do I get involved in food?
How do I get involved in operational technology security or ICS? How do I get into these things? Stay curious and ask a ton of questions. Get to know the people who work with it because it's the people in process at the end of the day, as we've already said, that are going to make or break a situation.
So with all of that, and your US side, what are some of the most pressing cybersecurity challenges facing the agriculture and food production sectors today? Because that just flows beautifully into what we were talking about.
Number one, you touched on is awareness. When you look at Maslow's hierarchy, I've been involved in this for eight years, and I can state with a fact that food, agriculture and water fight for last place in terms of resources from our government for protection. Yet absent water, you live three days. Absent food, you live for about three weeks.
You know, if your Internet goes down, the life's going to suck. But, you know, we got by in the 80s and it worked out right for us. You know, yeah, you take, and I mentioned this at a high level briefing, you know, if we go five days without food, you're going to break a law if your kid's hungry. And three weeks without food, that's the end of the government.
I know some other people have a slightly shorter timeline than that, but I think I give our government three weeks without food before everything falls off. And back to the initial question that you asked, I think the real issue is that we generally, as a species, take our food for granted.
That the availability, at least in the first world, maybe the second world, we just go to the store and get it. There's a complete disconnect of all the different pieces that it takes to get it from the farm to your plate and all the intermediary steps in there. And if you just take that for granted and you remove the foundational piece, there's going to be we're on demand.
You know, this is there's not like there is a warehouse full of bread that's going to be shipped if you're unable to produce more to go with that. And then and just
From the existential risk, you know, we talked about bugs and other things that, I mean, the one that really took us by surprise was the solar flare knocking out all the GPS systems, all the John Deere tractors in Canada right before planting.
You know, you get a short window for planting, you disrupt that, and all of a sudden, if you lose a crop, you can't plant it tomorrow and hope that it comes back in a day or two. I mean, it's like trying to raise a teenager. It's going to take 18 years to get that person to adulthood.
Speaking of that, will you explain why GPS is important to planning? Because I think a lot of people are like, oh, who cares if GPS knocked out on trackers? You need to care, by the way.
You do. Agronomy is so advanced right now that we are planting seeds at depths. within millimeter calibrations, spacings of the same. These plants are engineered to grow at a certain rate. Their leaves will shade out the weeds. Their spacing, everything is down to the nth degree. And that's not even taking into account the soil moisture, any kind of inputs that need to be done like that.
But it's incredibly precise. And if you think about all the money being poured into ag technology, it's all about that data. The more granular you can get on that data, you did mention data and data is a huge concern. Obviously, we're mutual friends with Pablo.
And I love Pablo's idea of creating an ag data lake that some sort of oversight will administer and can then take parts of that data, share it with somebody, but make sure that the farmer gets some sort of reimbursement for that data. Because there's so much that's being put on farmers these days. I mean, forget about environmental regulations.
I was at an event recently, a very large event, and someone made the suggestion that we should blame farmers if there's a cybersecurity attack on They're far. No. Exactly. And I said, I stood on stage. I said, no, stop. Do not even go down that line of things.
Hey, listeners, I hope you're enjoying this insightful conversation with the Andrews. Just a quick reminder, if you love the show, please share it with your friends, family and coworkers. Also, give us a rating on your listening platform. Believe it or not, it really does help promote the show and reach new listeners.
Check out the new merch store on the website. There's a variety of items from aprons to T-shirts to hats. and even some stuffed animal toys. Lastly, if you have a few minutes to spare, please complete the audience survey on the website. It's a great way to give your feedback about the show. Finally, thank you to all the listeners.
The show has just passed 4,000 downloads since we started in October. And we are listened to in 65 countries. It's just amazing. And you're amazing. And your support means the world. Now back to my discussion with the Andrews.
One question I do have for the two of you. So Kristen, what's the longest you've gone without food for?
Probably close to 48 hours due to travel.
Andrew? Probably about 48 hours due to food poisoning. I just couldn't keep anything down.
That's awful.
My record was five days. And I did it as a dare because a friend of mine told me he did 10. And I thought that I could maybe do 10 too. I got to five days and it was so painful. I mean, physically painful. It felt like there was somebody inside my stomach with razor blades just slashing at me night and day. You couldn't sleep with that kind of pain.
And when you hear this term, the gnawing hunger from Appalachia, that's what it felt like. It felt like something was trying to eat me from the inside out. That disconcerting feeling after four or five days, you're desperate. You're going to do a whole lot of things.
So, you know, if anything comes out of this, I do hope cybersecurity community and the regulatory community understands how important food is to us as a species. And if we're not learning lessons from the war in Ukraine, Russia is going to take out electricity in the winter. So you freeze to death and you take out the food in the summer. So you starve to death.
If we're not thinking that we're moving into wartime footing and agriculture is not in the crosshairs, shame on us because I guarantee your adversaries are well underway to whatever planning there is out there. So hopefully this podcast will put a few red flags in the poll as well.
Well, let's talk about that just a teeny bit. So, and I'm not going to get into the politics. So don't think that that's what this is going to be. We're just talking about the outcomes. The Ukraine is a breadbasket for growing, right?
And now that they can't as much as they need to for even supporting their own country, but they also support out to Europe, that's putting pressure on to other areas that are flourishing in agriculture, such as like the Netherlands, for example. So let's talk a little bit about what that's doing to the rest of the growing area of EU. What's that going to do to the US?
Because we'll have to export if we do, if we choose to do that. In other places in the world, because we've already got food insecurity all over the place anyways, and people who are starving because of various other reasons, global climate change, various other things, other wars. How is this going to affect, in your opinion, the global food economy, if you will?
Well, I've got my opinions. I'll jump in here. So first of all, if we take a look at the entire globe, who produces more than they consume? Which countries are those? And typically you're looking at the US, Australia, and Brazil. And when the world is going into a food insecurity situation, the first thing you're gonna do is take care of your own population. I mean, that's just normal.
If there is excess, we want to take care of our allies as well. Here in the US, we certainly have a geographic advantage of having moats to our east and west, and friendlies north and south. And if you look at where most of our food goes, it's keeping the people to our north and south very happy. Food insecurity roils the planet.
There are going to be populations that are going to not stay within their borders, and there's going to be governments that will begin to topple. In order for us to keep our friends in different continents happy, if we can export some of that excess produce or excess production to them, that will help placate their populations and provide a soft power diplomacy.
I kind of have to get too political on this one here. What does it mean? It's going to mean, well, there's 8 billion people on the planet today. Today, there's not enough food to feed all 8 billion people. And that's just a given using traditional conventional methods of production.
If you look at a country like Sri Lanka, they went and politically made a statement that they will no longer have anything other than organic non-GMO production. And within, it was less than a year, they went from an upper middle class country, by definition, everybody
person in the country was upper middle class to having the politicians swinging from lampposts everyone starved now the country's in receivership just because of a political dictate and if you look at what europe is doing with a lot of their standards too they're they're removing the ability for them to feed their own populations they're going to become dependent upon other people for food and that's
you know they're putting themselves in a weird position mexico's playing that that same way it's it's more of this this this dogma this mythology that genetically engineered food or gmo or anything like that which are scientifically we need them there there is no other way to to avoid that but i don't know it's a conundrum and again this is andrew thinking out here i think we've kind of reached the bounds of um upper ends of intelligence as a species you know we basically we're primates you know so maybe this is the the furthest that we can possibly go and it this is the next 18 months
months are going to be terrifying. With the Ukraine situation, they were very fortunate to get a grain corridor put up in the Black Sea. As you can see, they've been spending a lot of time on their aquatic drones and making sure that's secure. So they're able to get grain out more than we thought.
The issue was when they were doing it over land through Poland and the rest of Europe, all that glut of grain then drove prices down. So there was some reluctance to accept that grain coming across the borders. We'll see. It's not necessarily the food. It's the inputs. It's the fertilizers. And where are the precursors of those fertilizers coming from?
The majority are from Ukraine or Russia or China. So the next 18 months will be a little bit bumpy. I'll leave it at that before I get too dystopian.
No, it's okay. And I think it's especially important to talk about this in some capacity because we are a global food supply.
So I think what happens in one area affects the other, even though the US is somewhat insulated and we have our own issues, even the UK to a degree is somewhat insulated, but we still have issues on the borders, on the outside that are going to put pressure on our interior farmers. And since we've already got issues with environmental factors that are causing... It's been so hot in the UK the last
two years, two or three years during farming, during season, that their yields aren't as high and they're driving costs all over the place like you just described. So here in the US, we have some of the similar problems. And I don't think people realize how much of a trigger we're on with some of this. Every bite of food that we take is a privilege.
I always remind myself of that because I understand what it's like to have that moment where the food is in front of you is what you're going to get. And this is what you have to deal with. And if you want to, if you cannot waste it, it will go in the refrigerator and be leftovers for some other amazing meal the next day.
And I think of that often, especially within the food system that we're working in. And it's scary, but it's not to the point where we can reverse some of this, right? We can still work through this. Like you said, we're primates. We're just trying to figure it out, right? And as someone who studied primates, gorillas specifically, I definitely feel that on a whole other level.
The basic needs will be met no matter what happens. Hopefully it's just not in chaos.
One thing I do want to add to that, in terms of the heat and the environment and what's going on, there are some really interesting advances in genetics, both for proteins as well as for plants. I think it's probably common, we've developed a short-statured corn, which has a thicker stalk, same ear yield, but it resists a lot of those wind storms that come across the Iowa and Illinois and Indiana.
And Illinois came out with a strain of corn, I believe it was about two years ago, that requires 25% less water because now there's an abundance of carbon dioxide in the air that it can absorb. And it doesn't need all that water, but it hasn't evolved fast enough to reduce its water uptake. So through engineering, we're able to assist it in that function.
And I'm sure you've heard about the slick gene that we've got in the beef cows. So now we can have beef cows existing on a planet with an ambient temperature of 120 degrees. And I've heard rumors that dairy is not far behind on that one. So the piece there is making sure that we've got soy and other crops that can then feed the livestock that can exist on that planet as well.
So again, going back to science, because we're not going to be able to selectively breed ourselves out of the way of climate change. It's just not going to happen.
Yeah. We just have to work with it, I guess, is the best way to do it and adjust to it rather than, oh, it's the end of the world. It's not. We just have to make adjustments that may be a little bit uncomfortable. Swinging it back into cybersecurity. And this is what I love about doing this show is because we kind of expand our knowledge set a lot more when we talk.
As a cybersecurity expert, and I think both of you agree, the more you're informed about the things around the systems that you protect and the different type of people you protect, the better you can be at protecting them. Because if you don't have that knowledge, then what are you doing?
Andrew, I'm sure when you went and worked with the air traffic control, I mean, at the time, were you an air traffic control specialist or was that something you learned on the job?
I absolutely learned it on the job. So I came from a legal sector, which was entirely different, entirely, couldn't be more different. And then I was an analyst for five years. So this opportunity just came along. And it's the sort of thing you just can't say no to because it's a security world that means something. You know, working in the legal sector is fine. You know, you're keeping one
very rich company, you know, rich and helping them make a merger and acquisition to make them a little bit richer the next day. And that's fine, but it doesn't really mean anything. But air traffic control and those critical infrastructure things really does make a difference to you keeping people safe. It's all about safety. And so for air traffic controllers, I had to learn that on the job.
It was very much about sort of transferring my knowledge into the operational technology environment, creating a culture within those operational technology engineers to make sure that they understood that cybersecurity applied to them in their context.
and and then started to wrap controls around all of those those pieces uh to make sure that we could be safe but it's it's interesting andrew talked about sort of anarchy and how long it takes with air traffic control we didn't worry about that too much but certainly when i was at mastercard um you know we were doing all these interbank transfers and we knew that it wouldn't be long if that's those systems failed you know if you couldn't go and buy you know food for your children how long would it be before you were smashing down the windows and just taking the food 48 hours something like that and so we knew that we were running systems which were critical
and had a really short time base before we created anarchy on the streets of our society. So it is something that people can build up a knowledge of, certainly, but it's not a natural thing. This OT security piece is still pretty rare. We talked about it at RSA, and there's not that many people around with this disability or this way to think through these situations from that angle.
No, we're definitely a very rare, small, niche-y breed of people. And we're very proud of it, actually. We get us in a room and we all completely geek out together. We really are a community, which I appreciate. And not just on the U.S. side, it's global. We talk to everybody. We're trying to educate more and more. I mean, I've double-niched myself between OT and the food industry.
So I'm kind of like a party of one, you know, a lot. Yeah. Which is okay. And you know what? I'm hopeful that people will join the party because we do have a lot of fun over here for food and ag. As we're wrapping up this conversation, because wow, I feel like I've learned a lot, which I really appreciate greatly.
Is there anything that you want to discuss about some of the future trends that are coming up? The things that are going to, we need to keep on our radar, not only as cybersecurity professionals, but any of the food people that are listening and beyond.
All right. Well, that's a bone with a lot of meat on it. So I'm going to pause here and think. One thing I do want to mention, too, for anyone who's listening who is in the agriculture sector, if something happens, please report it. There is an easy website called ic3.gov. You can report anonymously.
The government will use that information to both triage and identify trends, and it'll be a multi-agency response. If you file something and it's a low dollar amount, obviously the federal government has budgets. They need to justify the expense of going after something. But if you're
report it and someone else reports it and a third person reports it, all of a sudden the aggregated amount gets to a level where they can respond. So please report to ic3.gov, report on behalf of your friends, yourself, anonymously again. The FBI is there to catch criminals. They're not there to victim shame.
If you call the FBI in, they're going to get it in and out as quickly as possible with full permission from you to access whatever it is they need. And then they're going to go catch the criminal, but they're not going to fix your systems. So I did talk to a large pork producer who was upset the FBI didn't fix his computers. I said, that's not their job. And he was,
I couldn't placate him, but I at least stated that as a whole.
Based on the FBI, right? I've sat in some food defense meetings talking with the FBI, and they always keep saying, get to know your field office.
Make a friend before you need it. Yeah, make a friend before you need a friend. That's usually my first bulleted point. But in the ag community, there is a little bit of trepidation about the FBI. There are certain sympathies for what happened on January 6th.
And the FBI will be the first to tell you everyone in this country has a First Amendment right to wave a flag, to have a bullhorn, to ring a cowbell. But once you take an action, that's when risk and consequence occurs. So sympathies are fine, you know, and they're not there to judge you on anything like that. They're there to catch criminals. That's
what they do and they're really good at it they have a long memory and they have a long reach to do so so don't be afraid to report if something happens so in terms of future threats from my perspective i think there's there's a couple and we've touched on some already actually i think the global threats the the nation-state threats against uh critical infrastructure are escalating um we're seeing you know nation states looking to impact the economies of the competitors and the the enemies as it were
And this is being done in a multifaceted way, whether it's political intervention using disinformation, whether it's attacks on systems and capabilities just to undermine the trust in that society and create division. But I think, as Andrew mentioned, the food, agriculture environment is vulnerable to this and could be such a force multiplier.
So we can expect really competent cyber attackers to start looking at this space. And that worries me because obviously the new technologies are coming out right now. And we've all talked about AI and all those sort of things in every other conversation we ever have. But those things are going to enable the attackers to amplify their capabilities.
And we'll start to see hyper-personalized attacks coming in. So today that's always been talked about spear phishing. figures out that Kirsten likes skiing. And so we're going to invite her to the local skiing club or whatever it is. But that takes time for an attacker to do. So it's relatively rare.
But actually with AI, hyper-personalization delivered in grammatical perfection with a really compelling lure and a compelling push linking back to news stories that you're interested in because they know what news stories you follow. That's Now that's on the verge of coming out.
And then that could be supported by a deep fake video, which is your partner or your boss or someone like saying, you must do this. You must click on this link. So we're going to see all those new technologies being utilized in the next wave or two of cyber attacks being utilized by these very competent nation states to disrupt our societies. And again, agriculture is right in the middle of this.
So I'm worried about where that goes. And I think the thing we need to do is we need to start raising awareness of the capabilities first. Because if people understand what a deep fake is, they understand what AI can do, then they're much better protected about it. They're more inoculated to the possibility because they go, oh, I've heard about it. This could be really weird, couldn't it?
It doesn't look quite right. So we need to educate, definitely. But we also need to start building those controls in. Because Andrew and I have done a podcast together before, or a webinar, I think it was. And there was lots of discussion about all of the innovation that's going on in the agri-food environment. All of these startups come here with brilliant ideas for improving our capabilities.
And that's awesome. Love it. But I'm really concerned that those guys are doing this with not enough of a focus on cybersecurity. Very early on in sort of the physical security phase, when suddenly everyone realized that you could actually connect your iPhone to your front door and you could actually open your front door with an iPhone and you could sort of have a doorbell.
pushes that all those products, the first wave of those products came out, no security embedded because it just wasn't seen. They just wanted to create functionality. That was key. First to market with functionality, all they wanted. And I'm concerned that perhaps that happens again in this industry. And that would be a devastating mistake.
Because if those are adopted and put into systems, put into processes where we know critical infrastructure has a problem with legacy tech, you buy it once and you keep it for 20, 30 years and you don't change it. If they're going to embrace these new technologies and put it on their farms, it's going to be there for a while.
And if that's not capable of being secured properly, then we're building huge problems for a long period of time here. So there's a lot here. That's a lot that concerns me, which is why I think it's great that we have this podcast and other conversations to try and raise awareness.
So those startup companies can perhaps think twice when they're creating this great new function and thinking, well, perhaps I should build security and perhaps that will enable us to be better in the future. Absolutely it will.
I think also having agro tech in general be built with security in mind, as well as really super important. So any product security people that are on here, hello, can you do that for us? That'd be great, because it would just get that little bit more of okay, we're somewhat protective. And now we just have to do everything else around it.
That would be a lot more assuring, I'm sure to a farmer than just going down to like the local farm store and buying, you know, a drone that doesn't necessarily, you know, connects and everything, it could cause a problem or something like that is a bad example. But I really think that we need to have better product security inside of this, the farm tech.
We absolutely do. And there's one sort of incentive to this because there was a product that was released into aviation and aviation is very picky about products, but this was released into aviation and it was put into pretty much every jet and every airliner. but it wasn't really built with security in mind. And so it can do its little function, its little dumb function, and that's all it does.
The problem is if they built security into that from the off, then that would have had so much more potential for growth. They could have got that little system to grow and do more functions and bring more functionality and more operation capability to the cockpit if only they built security in from day one.
they never did and so now it's hamstrung entirely to only do a dumb job so think if you're a product developer and you're in the space think very much about if i want to create the the length of delivery to create a value chain that can get longer and longer with my product then i need this to be secure it needs to talk in a secure way to authenticate correctly using zero trust principles
It needs to be able to be scalable. All of these other security things need to be built in. And if you do that, then you have a product which you can maintain and build upon for years. And that's where your company will grow.
That's great advice too. As we're wrapping up for a final here, any last words before we go to the listeners?
I do want to give an amen to that. I've been preaching the secure by design principles to robotics and ag tech companies, and it's not a resistance. Oh, didn't think about that. So it's not a... It's worse. Well, I mean, they're concerned with interoperability, exchanging information, flow of data. So security is obviously an afterthought, if it's thought at all.
But by putting that in the top five on their list, now it's there. I'm also coming from the investor standpoint. So an investor is not going to want to put money into a company that's going to have a lifetime of patches and upgrades required because they weren't thinking about security on the front end. That's just going to degrade their investment dollars, too. So there is no pushback from that.
It's just a lack of awareness, which is the first step in anything. Another piece that I mean, this is more of a global piece, but as a species, we rarely will fix something until it's been broken. So we didn't even understand how significant this was until the JBS attack.
So Andrew, I'm just hoping that somebody someday will come back to this podcast and say, oh, all those things Andrew said, yeah, we're going to implement them now that something has occurred, you know, rather than getting ahead of the attack. So I'm not, I mean, I don't want to be overly cynical, but it appears that's typically the way that we operate.
The thing that we haven't talked about here, and Chris, maybe you'll cover this in another podcast, was the Microsoft hack of all the executives. And there's a lot of speculation that the source code is gone and that the Russians now know every zero day vulnerability before Microsoft does.
I don't know if you've been watching your Microsoft updates lately, but every day now there's another patch coming in. And again, Microsoft, I'm just speculating. No one's admitted anything yet, but I have a high suspicion that some of that could have been compromised. And then going back to the secure by design is the liability piece.
Let's say that there is that one little thing that everyone's using that isn't secured. What happens if that's a conduit from a tax? Then who is going to hold the liability? Is it the end user? Is it the farmer or the agribusiness? Is it the manufacturer? Who knows? Are they still in business? There's a lot more questions there than there are answers.
And as I mentioned before, we need to understand we're in pre-war footing here. Our enemies are already pre-positioned into our critical infrastructure. If we're not aware of that, if we're not mitigating and responding to that, shame on us.
And with the, and again, this is Andrew just speculating out there, with the number of onslaught of attacks and the increase in velocity of these attacks, we still are playing the nice guy. You know, we're still putting the fires out, fixing things, and whatever offense we're taking is shrouded in opaque for certain reasons.
Yeah, but we're going to reach a day when this crescendo is so great that we're just going to take the gloves off and start hitting back. And, you know, I'm kind of looking forward to that. I mean, just... They said that a cyber attack could constitute an act of war. And I know that's been said, but I haven't seen it acted on yet.
But it breaks my heart because for every ag hack that you see, there's probably another 90 that I hear about that aren't seen. And it breaks my heart what's going on right now. And I really would love to punch back a little bit.
I really wish that people would share more. And this is why I always say that cybersecurity in a lot of ways is about mitigating shame. It's not just about risk, it's shame. Because people feel a sense of shame when they get hacked. They feel a sense of shame when they haven't done enough or they have to report it. They have to suck in, oh, I did something wrong.
I don't think people realize how much we don't look at it like that. We're like, OK, what happened? All facts. Okay, good. Now let's deal with it. Or this is the things we could do to prevent that feeling in the first place.
And I really wish that people would deal with the shame up front and know that they just have to deal with everything that's going on to avoid the icky, oh God, we might've killed somebody because we poisoned our food or something else really bad happened or people just died.
Or Kristen, I mean, the easy answer there, at least the normal reaction is let's just fire the CISO, you know? Absolutely.
Yeah, let's not, we need to stop that too because that's, you know, scapegoating isn't going to help in the long run. Just makes your company look like a bunch of jerks. That's frustrating. And then here we go back to the simple aspects of farming. Again, they now have to worry about cybersecurity. It's kind of a bunch of crap, right? Because this is frustrating. They just want to grow plants.
Like this is what their family's been doing forever or whatever they've chosen the career to do it. And now here we are overloading them. So the idea is to make it easier for them instead of fighting with it. Yes, you have to report when things happen. Yes, you need to reach out to your peers. Yes, you need to talk to people. You all talk to each other anyways. Keep talking to each other.
You know, we need to know what's going on. And we really have to stop this silo thing that we have in cybersecurity and beyond of we don't talk to each other. I hate that. This is what makes us insecure. We have to communicate things that are going on and not because, oh, shame, legal. Oh, I can't talk about it. You could talk about it and just not talk about it. You know what I mean?
There's a way we're all really good at it. We're all really good about not talking about companies. But yes, something happened. And we need to share the steps that were taken instead of the after effect of crisis teams and all of a sudden recovery. And we're going to be resilient through this.
If some kind of major incident happened at a small farming company or a midsize farm company, it would take them out financially because nobody has 10 million in the bank necessarily, right?
So Kristen, are you setting up the next podcast? Because we ran a field exercise recently in Pennsylvania that is pretty much word for word what you described. There were two identical companies, agribusinesses. They both got hit almost on the same day, the same ransomware, same actors. One paid ransom, one didn't. And we were able to do 18 months later postmortem on what that was.
And it is amazing. We haven't released a white paper yet, but that was part of the volunteer work I do for the Bio-ISAC.
When that white paper releases, will you please let us know? Because I know I would definitely like to read it. I'm sure Andrew would read it as well.
Well, it echoes what you said. The CEO, they didn't even think that this was anything other than why us. It was emotional. It was tears. It was employee tears. So they felt personally attacked. They didn't even think about law enforcement or anything. They just wanted to get everything cleaned up and get their systems online. It was a significant financial hit, a significant timeout.
time hit and they are a major player in the country for the sector they serve, as was their competitor. So yeah, affirmation to what you just said.
wow yeah so good i'm excited for that white paper and i'm terribly sorry that that happened to them because we do feel that like we don't want this to happen to people it some people think that we're you know we're ambulance chasers we're not and everything that's happening is happening because we've all said it over the last couple decades we needed to prepare for this we haven't so these are the consequences and i want to just make sure that we have safe food for everybody in the supply chain
Thank you both for being here. This has been a great conversation. I have adored it. I will have all the ways to contact both Andrews in the show notes. Probably some of the other fun things like secret pizza and Scott's pizza tour will probably be in there as well because we're all ultimately foodies at the end of the day.
And I will make sure I put some of the reporting things that Andrew had mentioned such as IC3 and things like that. So So thank you both for being here. Really definitely appreciate it. We're going to have to do this again, obviously, because clearly we ran out of time.
We have to find the other Andrew Rose. Yes.
Oh, I know where he is. It's just a matter of getting him on here. He's defense, so he's often kind of reticent about talking in public.
We'll have to wait until he gets declassified or something, and then we can have him on.
Pretty much.
Anyways, thank you both for being here. Really appreciate it.
It's been wonderful. Thank you, Kirsten. Thank you so much.
That brings us to the end of this Bites and Bites podcast episode.
It was a long one, but you made it through, and hopefully you gained some new knowledge about agrofoods and cybersecurity. A huge thank you to my guests, Andrew and Andrew, for sharing their experience, wisdom, and most importantly, their time. All the information discussed during the show will be in the show notes and on the website.
Thank you for listening, and I hope you have a fantastic day or evening wherever you are in the world. Stay safe, stay curious, and we'll see you on the next one. Bye for now.